ptrace

I am using CreateRemoteThread in Windows and would like to know if the same thing is possible in Linux. Is it possible to do this in Linux? The traditional way of doing this on Linux would be to create a dynamic library (.so) with your code in it, then separately force the loading of your library into the running application. There is no one-stop shop as there is with CreateRemoteThread on Windows. So here are the basic steps: Create a dylib/so that contains the code you wish to execute in the remote process. Write some very simple code in assembly that loads the specified so file (mainly copy

Experimenting with the ptrace() system call, I am trying to trace another thread of the same process. According to the man page, both the tracer and the tracee are specific threads (not processes), so I don't see a reason why it should not work. So far, I have tried the following: use PTRACE_TRACEME from the clone() d child: the call succeeds, but does not do what I want, probably because the parent of the to-be-traced thread is not the thread that called clone() use PTRACE_ATTACH or PTRACE_SEIZE from the parent thread: this always fails with EPERM , even if the process runs as root and with

I want to get a backtrace -like output as gdb does. But I want to do this via ptrace() directly. My platform is Linux, x86; and, later x86_64. Now I want only to read return addresses from the stack, without conversion into symbol names. So, for test program, compiled in -O0 mode by gcc-4.5 : int g() { kill(getpid(),SIGALRM); } int f() { int a; int b; a = g(); b = a; return a+b; } int e() { int c; c = f(); } main() { return e(); } I will start a my program and connect with ptrace to test program at very beginning. Then, I will do PTRACE_CONT and will wait for signal. When test program will do

0x00 前言 动态调试是比静态分析更为高效地一种破解手段。因此在破解安卓应用之前，一般会先对应用进行动态调试，了解应用大致运行流程和各个类之间的逻辑关系。 反动态调试可以从以下两个个方向着手： 1.运行环境检测：检测应用的运行环境是否安全，是否可能存在被调试的风险 2.动态调试指令检测：检测应用的运行过程中是否受到动态调试指令的控制 本文完全参考自网友 爱吃菠菜 的反调试总结，由于我的资料是pdf文档，已经找不到出处，在此对网友 爱吃菠菜 说一声抱歉。 0x01 运行环境检测 1.调试端口检测 不同调试器默认使用不同的调试端口，且这些端口默认值往往不被修改。 2.调试器进程检测 不同调试器会在系统中创建不同进程对应用进行劫持以达到动态调试目的。 3.父进程名检测 针对so文件，破解者可以自己编写一个APK对so库进行调试。 （1）正常启动的apk程序：父进程是zygote （2）调试启动的apk程序：在AS中用LLDB调试发现父进程还是zygote （3）附加调试的apk程序：父进程是zygote （4）vs远程调试 用可执行文件加载so:父进程名为gdbserver 父进程名非zygote的，判定为调试状态。 4.自身进程名检测 原理同上条。正常的APK进程名一般为入口类的目录。形如：com.xxx.xxx.xxxx.xxxMainActivity。在开发时，该值是已知的

Reading Monitoring certain system calls done by a process in Windows I'm wondering about a Windows equivalent to the ptrace syscall or a programatically workaround. You can use ETW to trace system calls. When starting the trace, in EVENT_TRACE_PROPERTIES, you can add EVENT_TRACE_FLAG_SYSTEMCALL flag to EnableFlags. This enables SysCallEnter and SysCallLeave events, as described here . 来源： https://stackoverflow.com/questions/865106/is-there-something-like-linux-ptrace-syscall-in-windows